HIPAA Compliance

Health Insurance Portability and Accountability Act compliance for medical imaging

Important HIPAA Notice

HTJ2K MetaWave codec software operates entirely on your local device and does NOT collect, transmit, or store Protected Health Information (PHI) or medical images. Therefore, for codec usage alone, we are NOT a Business Associate under HIPAA.

However, if you share PHI with us during support interactions or request our cloud services, we will execute a Business Associate Agreement (BAA).

1. HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting patient health information. Organizations handling Protected Health Information (PHI) must comply with HIPAA Privacy Rule, Security Rule, and Breach Notification Rule.

2. Our HIPAA Posture

2.1 Codec Software (Local Processing)

Not a Business Associate for Codec Usage

The HTJ2K MetaWave codec runs entirely on your device:

  • No PHI transmission: Images never leave your device
  • No cloud processing: All computation occurs locally via Metal GPU
  • No telemetry of medical data: Optional performance metrics (FPS, resolution) contain no PHI
  • Offline operation: Internet connection not required

Conclusion: Since we do not create, receive, maintain, or transmit PHI during codec usage, we are NOT a Business Associate under 45 CFR § 160.103.

2.2 Support Interactions (BAA Required)

Business Associate Relationship Possible

If you share PHI with us during support:

  • Sending screenshots of DICOM images with patient names
  • Providing sample medical images for debugging
  • Discussing patient-specific cases
  • Using our cloud services (if/when available)

We will execute a Business Associate Agreement (BAA) before accessing any PHI. Contact legal@htmeta.dev to request a BAA.

2.3 Your Responsibility as Covered Entity

If you are a HIPAA Covered Entity (hospital, clinic, PACS vendor), you remain responsible for:

  • Ensuring your systems using our codec comply with HIPAA Security Rule
  • Implementing access controls, audit logs, and encryption
  • Training your workforce on HIPAA compliance
  • Executing BAAs with your own Business Associates
  • Conducting risk assessments
  • Breach notification if PHI is compromised

3. HIPAA Security Rule Considerations

3.1 Technical Safeguards

While the codec itself doesn't handle PHI transmission, consider these implementation best practices:

Access Control

  • Implement user authentication on devices running the codec
  • Use macOS FileVault disk encryption
  • Enable Touch ID/Face ID for device access
  • Unique user accounts (no shared credentials)

Audit Controls

  • Log all codec operations (who, what, when)
  • Monitor license key usage
  • Track image processing activities
  • Retain logs per HIPAA requirements (6 years)

Integrity Controls

  • Verify codec binary integrity (code signing)
  • Validate image checksums post-compression
  • Ensure lossless mode for diagnostic images
  • Test compression quality regularly

🚨 Transmission Security

  • Encrypt images in transit (TLS 1.3+)
  • Use VPN for remote PACS access
  • Disable telemetry if concerned about metadata
  • Secure API keys and license keys

3.2 Physical Safeguards

  • Device Security: Lock MacBooks/Mac Studios when unattended
  • Facility Access: Restrict access to workstations running the codec
  • Disposal: Securely wipe devices before disposal (NIST SP 800-88)

3.3 Administrative Safeguards

  • Risk Assessment: Conduct annual HIPAA risk analysis
  • Policies: Document codec usage in your security policies
  • Training: Train staff on secure codec usage
  • Incident Response: Have a breach response plan

4. Business Associate Agreement (BAA)

4.1 When BAA is Required

We will sign a BAA if:

  • You need to share PHI-containing images for support
  • You request custom development involving PHI
  • You use future cloud-based services (if/when launched)
  • Your compliance officer requires it for audit purposes

4.2 BAA Key Terms

Our standard BAA includes:

  • Permitted Uses: Technical support and codec improvement only
  • Safeguards: Encryption, access controls, audit logs
  • Subcontractors: AWS (if cloud services used) - we ensure downstream BAAs
  • Breach Notification: Notify you within 24 hours of discovery
  • Termination: Return or destroy PHI upon contract end
  • Right to Audit: You may audit our compliance (with reasonable notice)

4.3 Requesting a BAA

Need a Business Associate Agreement?

Contact our legal team to execute a BAA. Turnaround time: 5-10 business days.

Email: legal@htmeta.dev
Subject: BAA Request - [Your Organization Name]

5. DICOM and Medical Imaging Considerations

5.1 Metadata Handling

DICOM images contain PHI in metadata tags (patient name, MRN, DOB, etc.). The codec:

  • Preserves all DICOM tags during compression (required for compliance)
  • Does NOT extract, log, or transmit metadata
  • Supports DICOM anonymization (if you apply it before codec)
  • Your responsibility: Anonymize images before sharing with us for support

5.2 De-Identification

If sending us sample images, use DICOM de-identification per HIPAA Safe Harbor method (45 CFR § 164.514(b)):

  • Remove 18 identifiers: names, dates (except year), MRN, etc.
  • Use tools like: CTP, DICOM Anonymizer, or Orthanc
  • Verify pixel data doesn't contain burned-in PHI (text overlays)

6. Breach Notification

6.1 If You Experience a Breach

If PHI processed by our codec is compromised on your systems:

  • Notify affected individuals within 60 days (HIPAA Breach Rule)
  • Report to HHS Office for Civil Rights
  • Notify media if > 500 individuals affected
  • Inform us if the codec contributed to the breach

6.2 If We Experience a Breach

In the unlikely event we experience a breach involving your PHI (e.g., during BAA-covered support):

  • We will notify you within 24 hours of discovery
  • Provide details of the breach and mitigation steps
  • Cooperate with your breach response and notification obligations

7. Enforcement and Penalties

HIPAA violations can result in significant penalties:

  • Civil penalties: $100 - $50,000 per violation (up to $1.5M annually)
  • Criminal penalties: Fines up to $250,000 and 10 years imprisonment
  • State laws: Additional penalties under state breach notification laws

Ensure your implementation complies with all applicable regulations.

8. Compliance Resources

8.1 Documentation We Provide

  • Software Description Document (for your risk assessment)
  • Security architecture overview
  • Validation testing results
  • Business Associate Agreement (upon request)

8.2 External Resources

9. Frequently Asked Questions

Q: Do I need a BAA to use the codec?

A: No. The codec processes images locally and doesn't transmit PHI to us. BAA is only needed if you share PHI during support interactions.

Q: Does the codec log patient information?

A: No. The codec operates on image pixel data and doesn't parse or log DICOM metadata.

Q: Can I use the codec in a HIPAA-compliant PACS?

A: Yes. The codec is a processing component. Ensure your overall system architecture (network, storage, access controls) meets HIPAA requirements.

Q: What if my compliance officer requires a BAA anyway?

A: We're happy to sign a BAA for compliance documentation purposes. Contact legal@htmeta.dev.

Q: Is lossy compression HIPAA-compliant?

A: HIPAA doesn't prohibit lossy compression, but you must ensure it doesn't affect diagnostic quality. Use lossless mode for primary diagnostic images; lossy may be acceptable for secondary viewing or archives (consult your radiologists).

10. Contact Information

HIPAA Compliance Officer
HTJ2K MetaWave Inc.
123 Market Street, Suite 500
San Francisco, CA 94103

Email: hipaa@htmeta.dev
Legal/BAA Requests: legal@htmeta.dev
Security Incidents: security@htmeta.dev

This document is for informational purposes only and does not constitute legal advice. Consult your legal counsel for HIPAA compliance guidance specific to your organization.

Last Updated: January 1, 2025